People's reaction to this is just stupid.

People's reaction to this is just stupid.

""" Your assumption that the ability to run 'sudo yum update' implies the ability to run 'sudo ls' or 'sudo sh' is incorrect. (Just because Ubuntu sets it up that way doesn't mean it's the only way, or even a particularly good one.) """

My assumption is based on the reality of what is a seems to be a acceptable default configuration for distros. The 'status quo', so to say. If you can lock down sudo then I can change whatever I want with package kit and it is impossible to make a good comparison.

""" At least sudo can be configured to ask you for a password (at intervals or every time), and as it's setuid it's relatively hard for an attacker running as the user to spy on the user's keystrokes as he types it in. So elevation to the user does not necessarily mean you can get to root that way."""

Yes.

The usual default configuration is to allow sudo access by prompting for a password. This is what I am talking about. And it allows you to re-run sudo without a password for a period of time. My example exploit depends on this behavior. If you run sudo from one console then that gives unlimited root access to any sudo command without prompting for a password for a period of time for every instance of that user's account.

Of course this is configurable, but remember the dispute is about default configurations. I am not sure how it is with Fedora, but people don't seem to have a problem with Ubuntu and I think it's the same.

""" In any case, the existence of one security hole isn't a reason to allow another one to continue to exist! """

Sure... But you have to realize that the use of things like packagekit and policykit is to eliminate the need for things like sudo for typical desktop activities.

I am of the opinion that a desktop that does not require running root code under a user's account as a part of normal everyday activities is superior to one that does. I am looking forward to the day that a user is able to perform every common function on the desktop without requiring root access or running root code under their account and this is a big step in that direction. No distro should ship with sudo enabled for anything!

Sudo and su should be reserved for administrators and experts. Expecting normal users to be able to use these things safely is asking too much. And using gtksudo (and similar things) to run GUI applications entirely as root under your account is a huge security hole in itself. Probably the thing should ask for a admin password or something like that, but I think that asking for a user's password is security theater and asking for a root password is just a plain bad idea.